Invision board versions 1.3.1 and below are susceptible to SQL injection attacks. Patch included.
c69852c683621b1597fc45775faed3acad28f902b519c805a9e5ee5677696b8eThis is a multi-part message in MIME format.
------=_NextPart_000_0005_01C53EE6.43632B60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Severity: Medium
Title: Invision board 1.3.1 and below are vulnerable to a sql injection =
vulnerability [PATCH INCLUDED]
Date: 09/04/2005
Vendor: Invision Invision Power Services
Vendor Website: http://www.invisionboard.com/
Summary: Invision board 1.3.1 and lower are vulnerable to a sql =
injection vulnerability which is caused by the non validation of input=20
in the $this->first variable
*************************************************************************=
*********************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah
*************************************************************************=
*********************************
Proof of Concept Exploit:=20
http://localhost/forums/index.php?act=3DMembers&max_results=3D30&filter=3D=
1&sort_order=3Dasc&sort_key=3Dname&st=3DSQL_INJECTION
**************
Patch info
**************
A patched version of the vulnerable file can be found at, =
http://www.digitalparadox.org/memberlist.txt=20
Just replace /uploads/sources/memberlist.php with this, and it will be =
fixed.
A simple patch can be,
In /uploads/sources/memberlist.php on Line 274 add this code=20
[CODE BEGINS]
if (!is_numeric($this->first)) {
$this->first =3D "0";
}
[CODE ENDS]
So it should finally look like,
[CODE BEGINS]
$this->output .=3D $this->html->Page_header( array( =
'SHOW_PAGES' =3D> $links) );
//-----------------------------
// START THE LISTING
//-----------------------------
if (!is_numeric($this->first)) {
$this->first =3D "0";
}
$DB->query("SELECT m.name, m.id, m.posts, m.joined, =
m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name,=20
m.icq_number,
me.photo_location, me.photo_type, =
me.photo_dimensions
[CODE ENDS]
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.=20
Lookout for my soon to come out book on Secure coding with php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj
hAJ8nVzhK+VIlL4iPxDJRh02
=3Dn3TC
-----END PGP SIGNATURE-----
Diabolic Crab
Web Security, Research & Development
dP Security
email: dcrab@digitalparadox.org
website:www.digitalparadox.org=20
This message is confidential. It may also contain information that is=20
privileged or otherwise legally exempt from disclosure.=20
If you have received it by mistake please let us know by e-mail=20
immediately and delete it from your system; should also not copy=20
the message nor disclose its contents to anyone. Many thanks.
------=_NextPart_000_0005_01C53EE6.43632B60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><!--StartFragment --><FONT =
face=3D"Times New Roman"=20
size=3D3> </FONT><PRE>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Severity: Medium
Title: Invision board 1.3.1 and below are vulnerable to a sql injection =
vulnerability [PATCH INCLUDED]
Date: 09/04/2005
Vendor: Invision Invision Power Services
Vendor Website: http://www.invisionboard.com/
Summary: Invision board 1.3.1 and lower are vulnerable to a sql =
injection vulnerability which is caused by the non validation of input=20
in the $this->first variable
*************************************************************************=
*********************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah
*************************************************************************=
*********************************
Proof of Concept Exploit:=20
http://localhost/forums/index.php?act=3DMembers&max_results=3D30&=
filter=3D1&sort_order=3Dasc&sort_key=3Dname&st=3DSQL_INJECTIO=
N
**************
Patch info
**************
A patched version of the vulnerable file can be found at, =
http://www.digitalparadox.org/memberlist.txt=20
Just replace /uploads/sources/memberlist.php with this, and it will be =
fixed.
A simple patch can be,
In /uploads/sources/memberlist.php on Line 274 add this code=20
[CODE BEGINS]
if (!is_numeric($this->first)) {
$this->first =3D "0";
}
[CODE ENDS]
So it should finally look like,
[CODE BEGINS]
$this->output .=3D $this->html->Page_header( =
array( 'SHOW_PAGES' =3D> $links) );
//-----------------------------
// START THE LISTING
//-----------------------------
if (!is_numeric($this->first)) {
$this->first =3D "0";
}
$DB->query("SELECT m.name, m.id, m.posts, m.joined, =
m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name,=20
m.icq_number,
me.photo_location, me.photo_type, =
me.photo_dimensions
[CODE ENDS]
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.=20
Lookout for my soon to come out book on Secure coding with php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj
hAJ8nVzhK+VIlL4iPxDJRh02
=3Dn3TC
-----END PGP SIGNATURE-----
</PRE></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Diabolic Crab<BR>Web Security, =
Research &=20
Development<BR>dP Security<BR>email: <A=20
href=3D"mailto:dcrab@digitalparadox.org">dcrab@digitalparadox.org</A><BR>=
website:www.digitalparadox.org=20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This message is confidential. It may =
also contain=20
information that is <BR>privileged or otherwise legally exempt from =
disclosure.=20
<BR>If you have received it by mistake please let us know by e-mail=20
<BR>immediately and delete it from your system; should also not copy =
<BR>the=20
message nor disclose its contents to anyone. Many thanks.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0005_01C53EE6.43632B60--
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed